CVE-2021-23555: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

February 11, 2022 (updated February 22, 2022)

The package vm2 is vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.

References

github.com/advisories/GHSA-6pw2-5hjv-9pf7
github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d
nvd.nist.gov/vuln/detail/CVE-2021-23555
snyk.io/vuln/SNYK-JS-VM2-2309905

Detect and mitigate CVE-2021-23555 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →